Archived

This topic is now archived and is closed to further replies.

dms123

Disable token auth

Recommended Posts

I have token_auth_enable as false - but it doesn't seem to take using uTorrent 3.3 on Linux.

 

I think this is a really bad design, it creates race conditions when under heave load.  Let's take for example a cluster of several uTorrent servers each doing 100 downloads each using the WebAPI "api".  Obviously all of the requests being made aren't synchronous and likely spread across various processes, so you end up having bad tokens all the time and basically continue to make requests until it gets lucky and slips in there.

 

I think a better approach to be to simply have an IP whitelist.    In any case, is there a way to really disable this?

Share this post


Link to post
Share on other sites

Solving the race conditions will be better than opening your system up to malicious requests. I'll get someone to get in touch with you to work on them.

 

Thank you, so in our case we have the web ui on a private ip.   One suggestion if keeping the token would be to give it an expiry, instead of every page load.  So even if you load the token.html 100x, if it's within 30min or whatever the threshold is, it doesn't change.

Share this post


Link to post
Share on other sites